CyberArk PAS (PTA) Installation - Part 5

This post is to record the steps I used to install PTA. There are lots of mistakes I made during installing PTA and integrating it with Vault and PVWA.

I used VM Installation - Hyper-V image. During lab, I used 16G RAM and 8 vCPU.

Architecture

CyberArk PAS (Privileged Access Security) solution

PTA-PSM Integration Architecture

Web GUI: https://<IP>
Monitoring : https://<IP>/monitoring


Where are events/logs from?

Install Wizard

Install PTA using the Wizard. It will be ran a couple of times. First time it will be used to change root password and set up network configuration. We also are able to see Web GUI to load license but it won't be able to integrate with PAS Vault and PVWA. 

1.

On the system console, log in as the root user using the following password: DiamondAdmin123!

2.

Navigate to the prepwiz folder using the PREPWIZDIR command.

3.

At the command line, run the following command:

./run.sh

The installation wizard begins. Default values are displayed in brackets. For any optional tasks, chose no. 

Step 1 - View the Usage Agreement and accept its terms

Step 2 - Change the PTA root user password

Step 3 - Specify the network configuration

Step 4 (optional) - Configure domain names mapping

Step 5 - Configure the date and time zone

Step 6 - Initialize the database

Step 7 - Configure the internal components

Step 8 (optional) - Configure the connection to the Vault and PVWA

Step 9 (optional) - Configure the Vault activities report

Step 10 (optional) - Create baselines

Step 11 (optional) - Load the Vault inventory report

Step 12 - Specify source hosts

Step 13 (optional) - Configure the PTA Network Sensor and PTA Windows Agent connection

Step 14 (optional) - Configure Golden Ticket detection

Step 15 (optional) - Configure email notifications

Step 16 - Configure the PTA maintenance user

Step 17 - Deploy the web application

Step 18 (optional) - Initialize the Privileged Threat Analytics solution

Log into Web GUI

https://<IP>

Username : administrator
Password : Administrator

You will need a license file to continue logging into Web GUI.

Generate CSR and Send to CA to Sign

Note:  Import your Organization's SSL Certificate.

Generate a Certificate Signing Request for the PTA Server

1.

On the system console, log in as the root user using the password you specified during installation.

2.

Start the PTA utility by running the following command:

/opt/tomcat/utility/run.sh

3.

Select 14. Generating a Certificate Signing Request (CSR).

You can also generate a Certificate Signing Request by running the /opt/tomcat/utility/certificateSigningRequestGenerationUtil.sh command.

4.

Specify the certificate details.

• PTA Host name
• Organization
• Department
• City
• State
• Country Code
• PTA Server shared FQDN (this is optional for disaster recovery mode)
• Subject Alternative Names (SAN)

The Certificate Signing Request (CSR) is created in the pta_server.csr file located at /opt/tomcat/ca.

5.

Provide the CSR to your organization's Certificate Authority (CA).

6.

The CA generates the Certificate and the Certificate Chain.

Paste CSR into CA Advanced Certificate Request page and generate certificate.
1. Download Certificate, not the certificate chain.
2.  From CA http://localhost/certsrv/ page, download CA certificate, not certificate chain.

Imported Signed Certificate and CA Certificate

1.	Upload the Certificate and the Certificate Chain using WinSCP to the PTA Server machine.

2.

On the system console, log in as the root user using the password you specified during installation.

3.

Start the PTA utility by running the following command:

/opt/tomcat/utility/run.sh

4.

Select 15. Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates).

You can also install the Certificate Chain by running the /opt/tomcat/utility/sslCertificateInstallationUtil.sh command.

5.

Specify the SSL certificate chain details of the PTA Server.

This step requires Vault Admin credentials using CyberArk authentication, and a restart of PTA services.
Installing SSL Certificate Chain (Root, Intermediate(s), PTA Server certificates):

a.

Specify the PTA Server Certificate location:

Specify PTA Server Certificate full path:

Do you have a Root Certificate (y/n)?:y

c.

Specify the root certificate location:

Specify your Root Certificate full path (for example: /tmp/RootCertificate.crt):

d.

Specify the first intermediate certificate location, if it exists:

Do you have Intermediate certificate(s) (y/n)?:n
Specify Intermediate Certificate full path:

e.

Continue to specify each additional intermediate certificate location, in order.

f.

The SSL Server Certificate is installed:

SSL Certificate Chain installed successfully

Run Install Wizard Again

YouTube Video:

References

• Install PTA
• Troubleshoot PTA Installation